Beruflich Dokumente
Kultur Dokumente
Working in progress
0. The bible
systemctl get-default
systemctl set-default multi-user.target
systemd.unit=rescue.target
# Or
systemd.unit=emergency.target
# List all jobs running at boot time
systemctl list-jobs
Validate
cat /etc/sysconfig/network-scripts/ifcfg-my-con-eth0
Teaming
nmcli con add type team con-name team0 ifname team0 config '{"runner": {"n
ame" : "roundrobin"}}'
nmcli con mod team0 ipv4.addresses "192.168.0.5/24"
nmcli con mod team0 ipv4.method manual
nmcli con add type team-slave con-name team0-port1 ifname eno1 master team
0
nmcli con add type team-slave con-name team0-port2 ifname eno2 master team
0
Validate
Bridging
Grading checks
Bridging
nmcli con add type bridge-slave con-name br1-port0 ifname eno1 master br1
brctl show
3. hostnamectl , ntp
timedatectl
...
NTP synchronized: yes
...
4. firewall-cmd
On-the-field tips
masquerade
port-forwarding
# simple
firewall-cmd --permanent --zone=public --add-forward-port 'port=513:proto=
tcp:toport=132:toaddr=192.168.0.254'
reject traffic
5. selinux
# Login to imaps to verify email was recevied, double check sender domain
mutt -f imaps://student:password@imap.example.com
7. iscsi
This section assumes candidate is familiar with block device commands, e.g. lsblk ,
blkid , fdisk , etc.. Often candidate is asked to create a block level disk to use as a
backstore for a LUN.
IQN - iqn.YYYY-MM.com.reversed.domain[:optional_string]
Server side
# Open firewall
firewall-cmd --permanent --add-port 3260/tcp
Client
Remove iscsi
umount /iscsidisk
iscsiadm -m node -T "iqn.2018-04.com.example:server1" -u
iscsiadm -m node -T "iqn.2018-04.com.example:server1" -o delete
ls -lah /var/lib/iscsi/nodes
8. NFS
You should be able to set up NFS server exporting non-secure and secure (krb5) directory.
You may need to enrol to LDAP server. Don’t forget tool such as authconfig-gtk and
krb5-workstation
server
# Start nfs-secure-server
systemctl enable nfs-secure-server
^enable^start
mkdir /secureexport
echo '/securedexport *.example.com(sec=krb5p,rw)' >>/etc/exports
exportfs -r
exportfs -v
RPCNFSDARGS="-V 4.2"
desktop
# Mount permanently
echo "server1:/secureexport /mnt/secureexport nfs defaults,v4.2,sec=krb5p,
rw 0.0" >> /etc/fstab
mount -a
9. Samba
You should be able to set up a shared folder in serverX via samba; accessible to groups
mngt and employees . Users in group mngt should have write access.
server
desktop
# Mount multi-user
echo "//server/smbshare /mnt/share cifs credentials=/root/cred.txt",multiu
ser,sec=ntlmssp 0 0" >> /etc/fstab
mount -a
su - rob
cifscreds add server1
10. unbound
/etc/unbound/conf.d/forwarder.conf
server:
interface: 0.0.0.0
interface: ::0
access-control: 172.25.1.0/24 allow
domain-insecure: "example.com"
forward-zone:
name: .
forward-addr: 172.25.254.254
yum install unbound -y
systemctl enable unbound
systemctl start unbound
firewall-cmd --permanent --add-service dns
firewall-cmd --reload
11. httpd
<VirtualHost *:444>
ServerName webapp1.example.com
ServerAlias webapp1
SSLEngine On
SSLProtocol -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder On
SSLCertificateFile '/etc/pki/tls/certs/webapp1.crt'
SSLCertificateKeyFile '/etc/pki/tls/private/webapp1.key'
SSLCertificateChainFile '/etc/pki/tls/certs/ca-example.crt'
DocumentRoot /srv/webapp1/www
</VirtualHost>
<Directory /srv/webapp/www>
Require grant alll
</Directory>
Validate
$# Number of arg
$* all args as one word
$@ all args as an array
switch-case
case "$1" in
start)
do-foo
;;
reload|restart)
do-bar
exit 0
;;
*)
do-default-action
;;
esac
Text manipulation
selinux
SMB
Create SMB share smbshare on serverX using mycompany workgroup
NFS
Configure the NFS server on serverX to meet the following requirements:
Share the newly created /krbnfs directory on serverX with krb5p security.
Allow read and write access on the share from the desktopX system.
SELinux labels are exported.
Preconfigured krb5 keytabs for the serverX and desktopX systems are available at:
http://classroom.example.com/pub/keytabs/serverX.keytab.
http://classroom.example.com/pub/keytabs/desktopX.keytab.
Mock exam
Q19: Client within my133t.org should not have access to ssh on your systems.
Q20: Configure port forwarding in your machine system1 such that forward all incoming
connection on port 5909/tcp on the firewall to port 80/tcp of the machine with the
172.26.1.0/24
Q21: Create a script name makeusers in /root directory when an argument file.txt
pass in front of this script then users listed in this file created with /bin/false sheel. When file
name is different then error shows file not found if file is not pass an argument then error
shows please write command again .
content of file.txt
alice
bob
sheldon